From: Christoph Hellwig <hch@infradead.org>
To: Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Jan Kara <jack@suse.cz>, yalin wang <yalin.wang2010@gmail.com>,
Willy Tarreau <w@1wt.eu>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5] fs: clear file privilege bits when mmap writing
Date: Wed, 9 Dec 2015 17:21:30 -0800 [thread overview]
Message-ID: <20151210012130.GA17673@infradead.org> (raw)
In-Reply-To: <20151209225148.GA14794@www.outflux.net>
> Changing the bits requires holding inode->i_mutex, so it cannot be done
> during the page fault (due to mmap_sem being held during the fault). We
> could do this during vm_mmap_pgoff, but that would need coverage in
> mprotect as well, but to check for MAP_SHARED, we'd need to hold mmap_sem
> again. We could clear at open() time, but it's possible things are
> accidentally opening with O_RDWR and only reading. Better to clear on
> close and error failures (i.e. an improvement over now, which is not
> clearing at all).
>
> Instead, detect the need to clear the bits during the page fault, and
> actually remove the bits during final fput. Since the file was open for
> writing, it wouldn't have been possible to execute it yet.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> I think this is the best we can do; everything else is blocked by mmap_sem.
It should be done at mmap time, before even taking mmap_sem.
Adding a new field for this to strut file isn't really acceptable.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Christoph Hellwig <hch@infradead.org>
To: Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Jan Kara <jack@suse.cz>, yalin wang <yalin.wang2010@gmail.com>,
Willy Tarreau <w@1wt.eu>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5] fs: clear file privilege bits when mmap writing
Date: Wed, 9 Dec 2015 17:21:30 -0800 [thread overview]
Message-ID: <20151210012130.GA17673@infradead.org> (raw)
In-Reply-To: <20151209225148.GA14794@www.outflux.net>
> Changing the bits requires holding inode->i_mutex, so it cannot be done
> during the page fault (due to mmap_sem being held during the fault). We
> could do this during vm_mmap_pgoff, but that would need coverage in
> mprotect as well, but to check for MAP_SHARED, we'd need to hold mmap_sem
> again. We could clear at open() time, but it's possible things are
> accidentally opening with O_RDWR and only reading. Better to clear on
> close and error failures (i.e. an improvement over now, which is not
> clearing at all).
>
> Instead, detect the need to clear the bits during the page fault, and
> actually remove the bits during final fput. Since the file was open for
> writing, it wouldn't have been possible to execute it yet.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> I think this is the best we can do; everything else is blocked by mmap_sem.
It should be done at mmap time, before even taking mmap_sem.
Adding a new field for this to strut file isn't really acceptable.
next prev parent reply other threads:[~2015-12-10 1:21 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-09 22:51 [PATCH v5] fs: clear file privilege bits when mmap writing Kees Cook
2015-12-09 22:51 ` Kees Cook
2015-12-10 1:21 ` Christoph Hellwig [this message]
2015-12-10 1:21 ` Christoph Hellwig
2015-12-10 3:25 ` Kees Cook
2015-12-10 3:25 ` Kees Cook
2015-12-10 4:14 ` Al Viro
2015-12-10 4:14 ` Al Viro
2015-12-10 7:06 ` Willy Tarreau
2015-12-10 7:06 ` Willy Tarreau
2015-12-10 7:10 ` Willy Tarreau
2015-12-10 7:10 ` Willy Tarreau
2015-12-10 18:05 ` Kees Cook
2015-12-10 18:05 ` Kees Cook
2015-12-10 18:16 ` Willy Tarreau
2015-12-10 18:16 ` Willy Tarreau
2015-12-10 18:18 ` Kees Cook
2015-12-10 18:18 ` Kees Cook
2015-12-10 19:33 ` Al Viro
2015-12-10 19:33 ` Al Viro
2015-12-10 19:47 ` Kees Cook
2015-12-10 19:47 ` Kees Cook
2015-12-10 20:27 ` Al Viro
2015-12-10 20:27 ` Al Viro
2015-12-10 21:45 ` Kees Cook
2015-12-10 21:45 ` Kees Cook
2015-12-10 21:56 ` Al Viro
2015-12-10 21:56 ` Al Viro
2015-12-10 22:00 ` Kees Cook
2015-12-10 22:00 ` Kees Cook
-- strict thread matches above, loose matches on Subject: below --
2015-12-10 22:33 Kees Cook
2016-01-07 19:36 ` Kees Cook
2016-01-08 0:30 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151210012130.GA17673@infradead.org \
--to=hch@infradead.org \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=jack@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=viro@zeniv.linux.org.uk \
--cc=w@1wt.eu \
--cc=yalin.wang2010@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.